DrBitcoin (OP)
|
|
February 08, 2014, 02:14:19 PM Last edit: February 08, 2014, 03:11:39 PM by DrBitcoin |
|
I am concerned about Coinbase hacks, just like many of you. Websites like The Verge and other mainstream tech sites are running articles about seemingly tech savoy individuals being hacked.
For the record, I have very few BTC. That said, I'd put them all in cold storage, but I like that Coinbase syncs with Mint.com.
Is it reasonable to assume that if an individual does the following, they have covered their bases?
1) uses a strong, unique, random string of letters and numbers for a coinbase password 2) uses two factor authentication (using phone numbers that are unique to their cell phones, NOT google voice) 3) uses a strong, unique, random string of letters and numbers for their backup email password 4) avoid junk mail, phishing scams, never opens attachments, doesn't download altcoin wallet apps. 5) EDIT: Only going to websites that are links stored in my browser
Am I missing anything?
Thanks,
Dr. Bitcoin
|
|
|
|
Avalaxy
|
|
February 08, 2014, 02:22:30 PM |
|
A strong password is good, but it needs to be unique for coinbase, don't use it for anything else. Also, never use email 2FA, use phone 2FA or google authenticator. Make sure you disable all your API keys, or if you need an API key, be very careful with it and only give it the permissions that it really needs.
|
BTC: 1BvzHyU2WnxtVYbUZYdQ6RExwLUZTfBN1K LTC: LfoPTEEyhdRHn8Sob8tu1iLz8AjVpvAXa4
|
|
|
Barek
|
|
February 08, 2014, 02:24:17 PM |
|
Be mindful of the URL and server certificate authenticity.
All the passwords and 2FA do you no good if you are supplying that info to the wrong website.
|
|
|
|
DrBitcoin (OP)
|
|
February 08, 2014, 02:57:43 PM |
|
A strong password is good, but it needs to be unique for coinbase, don't use it for anything else. Also, never use email 2FA, use phone 2FA or google authenticator. Make sure you disable all your API keys, or if you need an API key, be very careful with it and only give it the permissions that it really needs.
Let's be clear. I an using UNIQUE random long passwords with mixed case letters numbers and dashes. One thing. I am using Coinbase limits to allow for limit orders. This uses an API, and I was ensured by the developer that it is safe, and that if a hacker somehow managed to access it, the most they could do is buy or sell my coins, not make transfers. This would still be terrible. Coinbase should allow the user to require a text or email to confirm a transaction before it occurs. Like "are you sure you want to send these Bitcoins?" This email can go to a different email of choice, and only be used for that purpose. That way if a scumbag somehow manages to get into your account, and try's to transfer your Bitcoins, you get an email to this unique email address saying "are you sure you want to transfer 2 BTCs? Click this link to confirm this transfer."
|
|
|
|
DrBitcoin (OP)
|
|
February 08, 2014, 02:59:07 PM |
|
Be mindful of the URL and server certificate authenticity.
All the passwords and 2FA do you no good if you are supplying that info to the wrong website.
I only go to these websites through my iOS browser link. Good point though.
|
|
|
|
rat
|
|
February 08, 2014, 04:35:13 PM |
|
coinbase has one really bad verification option that is a security red flag: they ask for your bank login and password as a verification option.
of course, it's an option; as opposed to allowing them to deposit two small amounts of change for verification, but it's still bad.
and the report that came out after a system security audit proved that they are dropping the ball somewhere on their end.
all of the bitcoin exchanges are using bad practices. all of them.
|
|
|
|
BCB
CTG
VIP
Legendary
Offline
Activity: 1078
Merit: 1002
BCJ
|
|
February 08, 2014, 04:41:11 PM |
|
My understanding was that most of these "Hacks" happened as a result of coinbase clients who had activiated an API key to access their coinbase accounts AND had their personal computers compromised. Coinbase has recently added more granular control for their API keys and explain it here. http://blog.coinbase.com/post/75936737678/more-security-and-granular-control-with-the-new-apiIf you are using API access you should read this. And if you don't understand it you should delete API access for your account until you do. Also ALWAYS use 2-factor authentication like Google auth. I've never heard of an hack or compromise, in bitcoin, that has defeated 2FA.
|
|
|
|
BCB
CTG
VIP
Legendary
Offline
Activity: 1078
Merit: 1002
BCJ
|
|
February 08, 2014, 04:47:21 PM |
|
Also, I understand that most of the resent hacks where a result of this coinbase phishing attack. https://bitcointalk.org/index.php?topic=438261.msg4815551#msg4815551It essentially tricked users into clicking on the google lnk that took you to a fake coinbase site. Once you logged in you gave the hackers access to your account which they would use to log into your account and transfer you coins. THIS ATTACK DID NOT WORK FOR THOSE ACCOUNTS WITH 2FA. All the 2FA users had to do when he realized it was a fraudulent site was to log into the real coinbase account with his 2fa and change his password. [however the phishing attack could have also down loaded a key logger - which I believe this attack did not]. Again, most hackers prey on low-hanging fruit. Which means if you do not understand the security implications of virtual currency you should not be moving or storing large amounts of funds until you do understand it.
|
|
|
|
ArticMine
Legendary
Offline
Activity: 2282
Merit: 1050
Monero Core Team
|
|
February 08, 2014, 04:51:17 PM |
|
I am concerned about Coinbase hacks, just like many of you. Websites like The Verge and other mainstream tech sites are running articles about seemingly tech savoy individuals being hacked.
For the record, I have very few BTC. That said, I'd put them all in cold storage, but I like that Coinbase syncs with Mint.com.
Is it reasonable to assume that if an individual does the following, they have covered their bases?
1) uses a strong, unique, random string of letters and numbers for a coinbase password 2) uses two factor authentication (using phone numbers that are unique to their cell phones, NOT google voice) 3) uses a strong, unique, random string of letters and numbers for their backup email password 4) avoid junk mail, phishing scams, never opens attachments, doesn't download altcoin wallet apps. 5) EDIT: Only going to websites that are links stored in my browser
Am I missing anything?
Thanks,
Dr. Bitcoin
Yes you have missed something: If you have not done so already, stop using Microsoft Windows and start using GNU/Linux
|
|
|
|
keithers
Legendary
Offline
Activity: 1456
Merit: 1001
This is the land of wolves now & you're not a wolf
|
|
February 08, 2014, 05:01:58 PM |
|
Use 2fa for any size withdrawals
|
|
|
|
BCB
CTG
VIP
Legendary
Offline
Activity: 1078
Merit: 1002
BCJ
|
|
February 08, 2014, 05:10:47 PM |
|
I am concerned about Coinbase hacks, just like many of you. Websites like The Verge and other mainstream tech sites are running articles about seemingly tech savoy individuals being hacked.
For the record, I have very few BTC. That said, I'd put them all in cold storage, but I like that Coinbase syncs with Mint.com.
Is it reasonable to assume that if an individual does the following, they have covered their bases?
1) uses a strong, unique, random string of letters and numbers for a coinbase password 2) uses two factor authentication (using phone numbers that are unique to their cell phones, NOT google voice) 3) uses a strong, unique, random string of letters and numbers for their backup email password 4) avoid junk mail, phishing scams, never opens attachments, doesn't download altcoin wallet apps. 5) EDIT: Only going to websites that are links stored in my browser
Am I missing anything?
Thanks,
Dr. Bitcoin
Yes you have missed something: If you have not done so already, stop using Microsoft Windows and start using GNU/Linux +1 You could even create a dual boot box and conduct you bitcoin activity on the Linux install (a security expert would have to verify that this would protect you if you also had windows installed on the same machine)
|
|
|
|
adeojo
Newbie
Offline
Activity: 13
Merit: 0
|
|
February 08, 2014, 05:59:49 PM |
|
I did all. My coins was stolen. So far they have refused to refund my coins. Some people have been refunded. They have a security problem (but continue to blame phishing attacks)
I have used same simple pw with No 2FA auth for a bank for the last 10 years. How come I have not been a victim ? I have never lost a cent.
Coinbase prides itself as SAFE and SECURE and supposedly on cutting edge of security, yet all these stories of coins been stolen. To make matters worse, they do not show their face, no phone nos to call.
if coinbase is not up to the task, they should get out of the way. All, please do not use their service until it is fixed
FYI, this is how it all begain with MtGox.
|
|
|
|
keithers
Legendary
Offline
Activity: 1456
Merit: 1001
This is the land of wolves now & you're not a wolf
|
|
February 08, 2014, 06:04:16 PM |
|
Coinbase just made some changes tonthe security for API key. I would recommend connecting only the devices you really really need to coinbase. There is no reason to connect extra devices and expose yourself to further risk if you are just checking your balances with the additional connected devices. Also make sure to log in and check all active sessions. End all of the ones except the one you are currently using
|
|
|
|
Barek
|
|
February 08, 2014, 06:12:47 PM |
|
Does Coinbase offer IP-based security, where you can specify which countries may log into your account?
I always thought that was a simple way to get a good bit of extra security.
|
|
|
|
coastermonger
Sr. Member
Offline
Activity: 367
Merit: 250
Find me at Bitrated
|
|
February 08, 2014, 06:28:42 PM |
|
2-factor is useful, but remember that anything can be vulnerable to phishing. If you go to a fake website and give them your username, password, and 2-factor code(s), you're done. Always make sure to check the browser URL when logging in.
|
Bitrated user: Rees.
|
|
|
keithers
Legendary
Offline
Activity: 1456
Merit: 1001
This is the land of wolves now & you're not a wolf
|
|
February 08, 2014, 07:06:31 PM |
|
Does Coinbase offer IP-based security, where you can specify which countries may log into your account?
I always thought that was a simple way to get a good bit of extra security.
I believe you can whitelist only specific ip addresses
|
|
|
|
DrBitcoin (OP)
|
|
February 08, 2014, 07:49:10 PM |
|
I am concerned about Coinbase hacks, just like many of you. Websites like The Verge and other mainstream tech sites are running articles about seemingly tech savoy individuals being hacked.
For the record, I have very few BTC. That said, I'd put them all in cold storage, but I like that Coinbase syncs with Mint.com.
Is it reasonable to assume that if an individual does the following, they have covered their bases?
1) uses a strong, unique, random string of letters and numbers for a coinbase password 2) uses two factor authentication (using phone numbers that are unique to their cell phones, NOT google voice) 3) uses a strong, unique, random string of letters and numbers for their backup email password 4) avoid junk mail, phishing scams, never opens attachments, doesn't download altcoin wallet apps. 5) EDIT: Only going to websites that are links stored in my browser
Am I missing anything?
Thanks,
Dr. Bitcoin
Yes you have missed something: If you have not done so already, stop using Microsoft Windows and start using GNU/Linux I use Mac and iOS.
|
|
|
|
keithers
Legendary
Offline
Activity: 1456
Merit: 1001
This is the land of wolves now & you're not a wolf
|
|
February 08, 2014, 08:31:04 PM |
|
Every company that has a massive amount of users and deals with money will have instances of theft. It is just a fact. Nothing that can be done about that. Bank fraud probably happens thousands if not millions of times a day. It's just the fact that the bitcoin community is still relatively small, so each incident is more scrutinized.
|
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
February 08, 2014, 11:05:45 PM |
|
I am concerned about Coinbase hacks, just like many of you. Websites like The Verge and other mainstream tech sites are running articles about seemingly tech savoy individuals being hacked.
For the record, I have very few BTC. That said, I'd put them all in cold storage, but I like that Coinbase syncs with Mint.com.
Is it reasonable to assume that if an individual does the following, they have covered their bases?
1) uses a strong, unique, random string of letters and numbers for a coinbase password 2) uses two factor authentication (using phone numbers that are unique to their cell phones, NOT google voice) 3) uses a strong, unique, random string of letters and numbers for their backup email password 4) avoid junk mail, phishing scams, never opens attachments, doesn't download altcoin wallet apps. 5) EDIT: Only going to websites that are links stored in my browser
Am I missing anything?
Thanks,
Dr. Bitcoin
Yes you are missing something. I haven't said this in a while, but new people are here so I need to say it again. If you have more money/coins stored with ANY online service than you can afford to lose you have too much stored there. Period.Bitcoin is going to teach people hard lessons. There is no FDIC or card company to run to. Whenever you turn over your coins you have questionable chance getting them back. There are numerous ways a service can lose your coins even if they have the most honest intentions. With Bitcoin you are your own bank. Learn to store the majority of your coins safely yourself in cold storage. I recommend Armory which makes this pretty easy. If you don't trust yourself storing your own coins at the very least spread them among different reputable services so your chance of losing everything when things go wrong is diminished. Eventually we may begin seeing insurance offered with Bitcoin wallets/services. Until then the above applies.
|
|
|
|
|